Epic Target hack reportedly began with malware-based phishing e-mail

Attack hit contractor two months before the compromise of 40 million payment cards.

The breach at Target that exposed payment card data and personal details for as many as 110 million of its customers may have begun with a simple malware-laced phishing e-mail sent to a refrigeration contractor that worked for the retailer, according to a report published Wednesday by KrebsOnSecurity.

Citing multiple people familiar with the ongoing investigation, Krebs said Wednesday that the Target credentials were obtained using an e-mail malware attack that began about two months before thieves began siphoning data for 40 million payment cards from Target's network-connected cash registers. Two of the sources said the malware was the Citadel password stealing program, but that detail hasn't been confirmed. Krebs went on to raise the possibility that the people who compromised the HVAC firm may not have done so with the intent of hacking Target and carrying out one of the largest data thefts in history. He also said that documentation that Target left in plain view on its website may have made the subsequent attack much easier to carry out. Krebs explained:

Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target. The answer is that they probably didn’t, at least at first. Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.

But Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. Indeed, many of these documents would be a potential gold mine of information for an attacker.

Here’s an example that just happens to be somewhat specific to HVAC vendors: A simple Google search turns up Target’s Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc. That page leads to a separate page of information on Target Facilities Management, which includes a slew of instructions on submitting work orders. That page also includes a link to another set of resources: A Supplier Downloads page that, oddly enough, is little more than a long list of resources for HVAC & refrigeration companies.

What could an attacker learn from this information? For starters, download any of the Microsoft Excel files listed at that page. Then scan the file with a free online service (like this one) that extracts metadata from submitted files. Scanning the file “FM_HVAC_Oct_2011_Summary.xlsx” from the Supplier Downloads Page, for example, tells us that the file was created in June 2011 with a copy of Microsoft Office 2007 licensed to Target Corp. That metadata also indicates the file was created or last edited by a person with the Windows username “Daleso.Yadetta,” and that it was most recently printed to a system on Target’s network in the following Windows domain: “\\TCMPSPRINT04P\”.

Getting the layout of the various Windows domains within Target’s internal network would certainly help the attackers focus their attention. For example, consider what we know about a key piece of the malware known to have been used in the Target intrusion, first referenced in a story on Jan. 15, 2014. Investigators who examined the malware quickly noticed that it was designed to move data stolen from Target’s (then malware-infected) cash registers to a central collection point on Target’s network, a Windows domain called ”\\TTCOPSCLI3ACS\”.

Krebs has many more newly uncovered details, some that closely scrutinize the security hygiene of both Target and its HVAC contractor. The Krypt3ia blog has a post here showing how publicly available information associated with Fazio Mechanical could have been used to hack Target.